Specialists of the Swiss information security company Prodaft managed to gain access to the servers used by the hacker group associated with the SolarWinds hack. Thanks to this, they were able to find out who the attackers were attacking and how they conducted their operations. According to experts, this month the hacking operation was still ongoing.
Information security experts managed to hack the computer infrastructure belonging to cybercriminals and study the details of a large-scale malicious campaign that took place from March to August last year. During the campaign, cybercriminals attacked thousands of companies and government organizations in Europe and the United States. The cybercriminal group, named by SilverFish researchers, targeted espionage and data theft, Prodaft said.
According to researchers, SilverFish carried out "extremely sophisticated" cyberattacks on at least 4,720 victims, including government agencies, IT providers, dozens of banks, EU organizations, large audit and consulting firms, as well as world leaders in the COVID testing market. -19, aviation and defense technology.
In their attacks on victims, the attackers used not only the SolarWinds backdoor, but also other methods. Prodaft experts do not attribute SilverFish to the government of any particular country, but clarify that it is an APT group. The hackers are showing signs of a government-funded group, they said. In particular, they do not pursue financial gain and attack critical infrastructure.
However, in order to assign a group to a specific government, a more detailed analysis is required. For example, the Prodaft report does not imply that hackers from Russia are behind the attacks (according to the US authorities, Russians are responsible for the SolarWinds attacks).
The report of the Swiss information security company was received skeptically by many American cybersecurity experts, who believe that cyberattacks are an operation of Russian cyber spies. Nonetheless, researchers at Malwarebytes described Prodaft's findings as "valid."
The company's specialists also talked about how the attackers carried out their operation. According to them, the hackers worked during standard business hours - Monday through Friday from 8:00 to 20:00. Their servers are located in Russia and Ukraine, and some of them are also used by the Evil Corp.
The group is an "extremely well-organized" cyber-espionage organization made up of four teams named 301, 302, 303 and 304. SilverFish attacked government organizations and large corporations, including Fortune 500 companies. The hackers were not interested in organizations in Russia. Ukraine, Uzbekistan and Georgia. Organizations in the United States (2,465 organizations) and Europe (1,466 organizations), including Italy, the Netherlands, Denmark, Austria, France and the United Kingdom, have suffered the most at the hands of hackers.
Hackers wrote comments "in Russian slang and vernacular", while English was the second main language. The source code also contained identification numbers and aliases, including “new hacker,” “cyberbro netsupport,” and “walter,” for 14 people, who likely worked under the direction of four teams, the report said.
You can find the paper from Prodaft.